How To Use SPF To Protect Your Domain From Spoofing

Email Deliverability Simplified | The Blog


How To Use SPF To Protect Your Domain From Spoofing

Many business owners are currently struggling to rebuild trust in their brand. This is because at one point or another, scammers have used their domain to scam many of their unsuspecting customers and subscribers. This has created a disconnect between them and their customers. Subscribers now hesitate to trust anything that comes from their domain. So, they are now losing sales they would have otherwise closed.

This doesn’t have to happen to you. You can join other smart email marketers and business owners using SPF to protect their domain from spoofing.

Table Of Contents

With Clickable Navigation

What Is SPF?

Why Do You Need SPF?

How Does SPF Work?

What Is SPF Record?

How Do I Create An SPF Record?

How To Verify Your SPF Record

SPF Verification Result Translation

Major Components Of An SPF Record

What Is SPF?

Sender Policy Framework (SPF) is an email authentication standard. A domain owner can use SPF to inform email exchange senders that are approved to send emails from their domain.

SPF has a record containing the list of IP addresses you approve for sending emails through your domain. You can find the SPF record in the Domain Name System (DNS).

Your Email Service Provider can identify forged sender addresses. They can do this by checking the record to verify the identity of the sender. They can then penalize imitation addresses.

Why Do You Need SPF?

People can send emails from their computers and claim that they’re from any source. Spammers are taking advantage of this opportunity to forge email addresses. They’re then using them for spoofing.

They do this by disguising themselves as a trusted source. From there, they are able to deceive the email receivers into reading their messages. Spoofing is intended to make people give away their confidential information. Because of this, the people behind it damage the reputation of the email address or domain name they forge.

As an email marketer or business owner, you will lose credibility if your domain is used for sending spoofing emails.

Some spammers may send unauthorized emails through your domain as well. If they do, your domain may be flagged as spam. Emails from a flagged domain won’t be allowed into the inbox folder. This will have a negative impact on your deliverability.

Set up an SPF record for your email address or domain name. When you do this, ESPs will recognize the domain as legit and won’t flag messages from the domain as spam. Plus, it will recognize emails sent from unauthorized hosts and flag such emails as spam.

By doing this, spammers are less likely to use your domain for spoofing. This ensures you will also avoid being blacklisted. This is one sure way to ensure your emails end up in your subscribers’ inboxes instead of spam folders.

If you don’t protect your domain with SPF, your ESP may mark emails from the domain as spam. You can prevent spammers from using your domain and improve your deliverability through SPF.

How Does SPF Work?

ESP verifies your SPF record before it delivers your messages to your subscribers. It reviews the domain in the Return Path or “envelope from” in the header.

It then compares the IP address you sent the message from, to the IP addresses in the domain’s SPF record. If the address is not listed in the record, the message will fail SPF authentication.

What Is SPF Record?

An SPF record is a record of all the approved users of your domain name. Messages from IP addresses that you didn’t list on your SPF record are from spammers.

How Do I Create An SPF Record?

You must create an SPF record for your domain first before an Email Service Provider (ESP) can use the record for verification. Follow the steps below to create the record without stress:

1. Collect the IP addresses

You must first collect the IP addresses that are used to send emails through your domain. This may include organizations or individuals that use third-party mail servers to send an email on your behalf. The list should cover all your mail servers.

You can check your ISP’s mail server, an in-office mail server, or your web server as likely IP addresses to include in the SPF record. If you’re using an ESP, reach out to them to obtain your sending IP address.

2. Compile A List Of Your Sending Domains

It is possible that your company has several domains registered in its name. You may use some of these domains for sending emails while you may not use others.

Create SPF records that contain both IP addresses you use regularly and those you don’t use for mailing. This is to prevent spammers from targeting the domains you don’t use if they can’t access the ones you use regularly.

Once you have a list of the sending domains, go ahead and create the SPF record.

3. Create the Record

You can define the record you want to create as SPF. This type of version begins with the version number in this format: v = spf 1. In this case, you have the first version of an SPF record.

Once you have included the version type, list the IP addresses you wish to let use your domain for sending emails on your behalf. For instance, v = spf1 ip4: 34.243.56. 357 ip6: 3ao9: do84: 851e, and so on.

If there are third-party organizations you use for sending out emails for your brand, include them as well. For instance, include: By including the third party, you have empowered it to send emails on your domain name.

Once you have successfully added the include tags and IP addresses, end the record with –all or ~all tag. This tag is very important in the SPF record. This is because it determines the best way to handle a server not listed in the SPF record. If the server sends a message via your domain, the action determined by the tag will be executed on the erring server. It may mark the email as spam or reject it.

If you define your SPF record properly, it will be in this form: v=spf1 ip4: ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e –all

When creating your SPF record, note that you can’t exceed 255 characters. But, if you must exceed the character limit while adding more IP addresses, use the include option. Add this to your SPF record this way: include: Then create another TXT or SPF record for “extra.” Place another block of 255 characters in the new record. You can do this for as many blocks of IP addresses as you want.

You also can’t add more than 10 include tags. If you use more than the 10 DNS query limit, the record will produce an error and blank out as if you haven’t created any record.

Once you are done with the SPF record creation, publish it into the DNS.

4. Publish the SPF Record

When you publish the record into the DNS, Hotmail, Gmail, and other email service providers can have easy access to it. If your DNS provider provided you with a dashboard, use it to publish the record. Otherwise, ask the DNS provider to assist you to publish it.

If you want to publish it through your DNS manager, follow these steps:

  1. Visit your domain host provider’s website and log in to your domain account.
  2. Use the DNS management menu.
  3. Select the domain containing the records you want to change.
  4. Open the DNS Manager.
  5. Check the text section and create a TXT record.
  6. Write your domain name in the Host field.
  7. Input your SPF record in the TXT Value field.
  8. Specify the Time to Live (TTL). You may leave it at the default or enter 3600. The Time to Live refers to the lifespan of data stores in a network or a computer.
  9. Click “Add Record” or “Save” to publish the record into your DNS.

Note that it may take up to 48 hours before the record goes into effect.

If you can’t handle the publishing, contact your DNS server administrator for help. They will assist you with publishing to enable email providers to make easy reference to it.

If you are unsure of whether your ISP administers your DNS records, your IT department should be of help.

5. Test the SPF Record

When you are through with the record creation, test it. The test result will show you the list of all the servers that are authorized to use your domain to send an email. If the list doesn’t contain some of the IP addresses you authorized for sending emails, update your record.

How To Verify Your SPF Record

Your SPF record is only useful if it is valid. You can only learn its validity by running it through an SPF record testing tool.

With the tools, you can get the SPF record for your domain name and check it for validity. This includes checking whether the record has the right syntax that will make it valid. This test is important before you publish your records. If the record is not syntactically correct, it may be difficult for ESPs to reference it.

You can also test your record’s performance too. This test will cover the different IP addresses the mail may be sent from.

There are different tools for SPF record verification. They have a similar verification procedure.

There are several tools for checking an SPF record. You can use any of the tools for the verification.

The verification process follows the following format:

  • Go to the website.
  • Enter the domain name you want to check the SPF record for.
  • Click “Run Checks.”
  • Upon completion of the test, you will receive the result of the test with the list of several IP addresses.

SPF Verification Result Translation

The verification test will give you some results. These results give you a clue into your domain name’s performance.

  • None: There was no SPF record for the domain.
  • Neutral: The domain owner doesn’t want to state that it has authorized the IP address to send messages from the domain. This result receives the same treatment as the ‘None’ result. Such SPF records use the ? qualifier.
  • Pass: The IP address can send information from the domain.
  • Fail: The IP address is not authorized to use the domain.
  • SoftFail: The IP address may use the domain or may not use it.
  • TempError: There was a temporary error during the verification process. This may be caused by some technical issues during the exercise. This doesn’t imply that the SPF record is invalid.
  • PermError: The ESP can’t verify the published SPF record. This may be the result of a format or syntax error in the record itself.

Major Components Of An SPF Record

The SPF version number and some strings make up the SPF record. The strings include mechanisms, qualifiers, and modifiers.

SPF Mechanisms

The SPF record contains some mechanisms. Some of them are:

  • All: this mechanism is used for ~all and other default results. It matches for both remote and local IPs. It is usually at the SPF record’s end. Hence, the ESP should accept the message but classify it in the Soft Fail category.
  • A: the mechanism will match under the condition that the domain already has an address record that can be sent to the sender’s address. In a nutshell, it covers the IPs in the A record of the DNS. So, if someone uses your A record’s IP address to send an email, the message will pass.
  • IP4: It should match if the sender is within IPv4 address range. It may also refer to a single IPv4 address.
  • IP6: Sender in IPv6 address will make it match.
  • MX: It will also match if there is an MX record in the domain name. It covers all A and AAAA records for each of the MX records. There is a match if the email is from an IP address of the incoming mail servers of the domain.
  • EXISTS: Matching is positive if the domain name resolves to an address. This is regardless of the address the domain resolves to.
  • PTR: This specifies all the A records associated with the PTR record of each host.
  • INCLUDE: all authorized domains are specified with this mechanism.

For instance, “v=spf1 mx-all” indicates that the MX hosts of the domain should be allowed to send emails through the domain while other hosts are not allowed to do so.

SPF Qualifiers

Qualifiers are used to prefix mechanisms. There are four qualifiers. These four qualifiers are:

  • “+”: This signifies “Pass.” It informs the ESP to accept messages from the address because it passed the verification test. For example: “v=spf1+all.”
  • “-”: This is a Hard Fail: In this case, the address failed the verification test. ESP should bounce emails from such addresses.
  • “~”: Soft Fail: Although the address didn’t pass the test, there is no definitive result about it. Thus, the ESP may accept non-compliant emails and tag them. For example: “v=spf1~all”
  • “?”: The address neither passes nor fails the test. In this case, the ESP may do whatever pleases it with the address. It may accept or reject it. For example: “v=spf1?all”

Note that the “+” will be the default option if you don’t include a qualifier.

SPF Modifiers

Modifiers are added to an SPF to provide extra information about it. There are two major modifiers:

  • “Redirect” This modifier comes in handy when you have more than a domain. It’s also handy when you want to use the same SPF content on all the domains. The modifier is good if you are the one managing all the domains. Alternatively, you can use the “include” if you are not. It takes this form: redirect
  • “Exp” sometimes, a matched mechanism can have a Fail qualifier. This modifier comes in handy. Its major function is to provide an explanation for such a problem.

Modifiers are usually placed after the SPF record.


Do you want a fool-proof system that protects from spoofing and its negative effects? Consider using SPF with other tools such as DMARC and DKIM.


DMARC stands for Domain-Based Message Authentication, Reporting, and Conformance. It allows you to specify how your ESP should handle messages that appear to come from your domain.

You confirm all the domains that are allowed to send messages. DMARC provides information on how to authenticate your sender’s domain. It also helps with how to deal with suspicious emails.

It recommends three ways of handling suspicious emails. The ESP may not take any action on the email or mark it as spam. In the meantime, it keeps the message to enable it to process it better.

It may also inform the ESP to reject the email. This will help you keep your credibility. It will help ease any worries over whether someone is using your domain name for sending information.


DKIM stands for DomainKeys Identified Mail. It is a standard that ensures the message you send out is not altered before it reaches its destination.

DKIM enables you to sign the outgoing message as coming from your domain with a unique signature. You can use this when sending emails to your subscribers. Subscribers can verify the source of the email with the signature. So, if an email claims to come from your domain, they can easily check to confirm whether you sent the message or not.

DKIM also enables ESPs to identify the source of a message and confirm whether it is valid or not.

When they receive an email, they check the DKIM header to confirm its validity. They can also determine the next line of action once they have enough information about the source.

SPF does a good job at protecting your domain from spoofing. When used together with DKIM and DMARC, they will help you block potential loopholes that spammers may want to exploit.

This will improve your domain’s credibility and boost your delivery rates.

Let’s Get In Touch

Need help setting up SPF, DKIM, or DMARC? Our Managed Services team would be happy to assist. Get in touch today!

Guide to Spam Proof Email Marketing: Part 2 – Start Your Email Marketing Process

Welcome to Part 2 in our series, 'Your Guide to Spam Proof Email Marketing.'  In this blog, we will cover everything you need to know to start your email marketing process. Setup Your Email Marketing Process The first thing you'll want to do is build your email lists....

Postini Spam Filter

Google recently announced that they will no longer use Postini as a stand-alone service for their Google Apps customers. Since the popularity of Postini continues to decline and Google is now actively directing their customers away from Postini, we have decided to...

The Scary Truth: It’s Time for Your Quarterly Email Audit

Just like with your health, the health of your email reputation depends on you to get a quarterly check-up...we mean, audit.  To keep your email list in tip-top shape, you should schedule the time to perform a quarterly audit.  Trust us, your email reputation will...

5 Ways to Organically Grow Your Email List

For new businesses starting out, the allure of purchasing email lists is very tempting.  But as we've cautioned before, purchasing email lists is a dangerous business.  To ensure optimal results and protect your brand's email reputation, you want to build your email...

Marketing Email Content Preview Testing

Email content preview allows you to send a single test to many different email providers. MailMonitor will automatically check those email accounts and take real screenshots of your email from the most popular browsers and email service providers. We will also take a...

You’ve Been Email Blacklisted….Now What?

In some of our previous blogs, we've reviewed the reasons why you might have ended up in a blacklist.  The reasons may vary, but typically the service provider will inform you as to the specifics around why you might have been blacklisted.  So now that you're email...

Could Your Sender Reputation be Impacting Landing in Inboxes?

As marketers, we often focus on creating the perfect email and spend a great deal of our time monitoring the click-through and open rates of those emails.  While creating catchy content and tracking performance are both important, the most important goal, and sadly,...

Guide to Spam Proof Email Marketing: Part 1 – Why Email Marketing

Welcome to our six-part series, "Your Guide to Spam Proof Email Marketing."  As your partners in email deliverability, we want to help you create email marketing campaigns that succeed, which is why we created this series. Our series will be broken into the following...

Reputation Tracking – Why is it Important for You?

In our recent blogs, we have been talking about the ways in which email marketers can stay away from the recipient’s dreaded spam folder. This week, let’s touch on another essential way in which you can avoid getting your messages from being marked spam: Reputation...

MailMonitor Adds 14 ISPs to Email Deliverability Tracking

MailMonitor reporting now includes tracking for 14 additional ISPs, bringing the total number of ISPs tracked 45. This new release of ISPs is particularly focused on European and B2B email providers. The newly added ISPs are: Godaddy...

Mastering Email Deliverability 

Can be easier than you think